Bringing data security to startups starts with relationships
Hardly a day goes by that you don’t hear about the next breakthrough idea or life-changing app coming from a startup. But as many customers readily provide their personal information to these companies, they assume that the startup has prioritized the security of their information, when the reality is that may not be the case.
In the fast-paced world of a startup, the company typically believes that implementing security is a lower priority than delivering the product, and that rapid release is crucial to keep its edge in the marketplace.
Let’s use a typical software startup as an example. The primary objective is to build an app that it can ultimately sell. Peeling back the layers of the organization, it quickly becomes apparent that each business function has its own focus to achieve that goal. The focus for most business units is the customer buying the app. Meanwhile, the security team is often viewed internally only as a support function that provides little direct benefit to the business.
The key in a startup is that everyone and everything must have a purpose. If you aren’t shipping code or supporting those who do, it’s easy for the company to perceive your role as waste. Security can have a direct impact on the product and the teams that support it, if positioned correctly. This comes from two primary directions: supporting customers through information security assurance, and providing a service to support internal team objectives. Let’s break each of these down a little further.
The average single-user customer’s needs are fairly basic. However, larger companies that want to adopt a startup’s product typically do so with extra caution. They utilize vendor security reviews, validate audit and compliance initiatives, and sometimes even request in-person assessments. Most startups aren’t equipped to handle these requests, which could result in lost sales. These interactions are valuable to the business and should be supported by the security team.
Additionally, security can perform mock audits within the company to provide a proactive approach to speed up customer response and help find gaps that need to be addressed. This customer-centric approach enables the business to increase sales to all types of customers while also helping to ensure the internal integrity of the app.
Another important focus of a security team is identifying opportunities to support other internal teams in their goals. More traditional security organizations may hide behind audits or industry best practices and utilize a heavy-handed approach to enhance the security posture of their organization.
The challenge with this technique in a startup is that it goes directly against the natural inclination of the people attracted to working at a startup, and only ends up hurting the perception of the security program. When teams feel ignored or that they aren’t allowed a role in developing a solution in their own platform, traction is lost quickly.
Considering the needs of internal functions shows an immediate value of the security program and makes it clear that security’s objectives are both customer- and business-focused. This more cooperative methodology also helps facilitate the uptake of security culturally and can be measured when discussing program effectiveness with leadership.
Security professionals must adapt to a new reality when it comes to bringing their craft into a startup. They should focus on cooperation and transparency over brute force. Many will be surprised at the number of security advocates spread throughout the business if they are willing to take the time to listen and learn. A plethora of opportunities exist to mature a company’s security posture if one understands the underlying motives of the teams with whom they are working.
In my experience, one of the best ways to achieve harmony between security and other operational teams is spending a substantial amount of time understanding how the business works and how each team contributes to it. Finding allies in the business that support your direction will make every change going forward much easier to manage.
One of the most powerful initiatives a new security program can take on in a startup is helping drive innovation that the engineers already recognize and want to address but may not have the influence to accomplish.
There is nothing revolutionary about security teams needing to show value to stay relevant. My biggest challenge for developing security in startups has been finding a way to show value without being ostracized because I have “security” in my job description. While the approach may seem slow, the result is a successful startup security program that would not be possible using more traditional security methodologies. When looking at information security in a startup, the key to success is all in the approach.
(Editor's note: Ryan Kelch will be covering this topic in-depth at ISACA’s CSX North America 2017 conference during his presentation, “Building Security in the Startup Culture.”)